From 1b57b3a2b28baa11760959a312ba20998e08716a Mon Sep 17 00:00:00 2001
From: Mathieu Champlon <mathieu.champlon@docker.com>
Date: Fri, 18 Feb 2022 20:33:55 +0100
Subject: [PATCH 1/4] Move security note to correct version

---
 desktop/windows/release-notes/index.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/desktop/windows/release-notes/index.md b/desktop/windows/release-notes/index.md
index 8ec50c562e..9163ebe01c 100644
--- a/desktop/windows/release-notes/index.md
+++ b/desktop/windows/release-notes/index.md
@@ -32,10 +32,6 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro
 > Windows](https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-amd64){:
 > .button .primary-btn }
 
-### Security
-
-- Fixed [CVE-2022-23774](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23774){: target="_blank" rel="noopener" class="_"} where Docker Desktop allows attackers to move arbitrary files.
-
 ### Bug fixes and minor changes
 
 - Fixed an issue that caused new installations to default to the Hyper-V backend instead of WSL 2.
@@ -47,6 +43,10 @@ Alternatively, you can edit the Docker Desktop settings file located at `%APPDAT
 ## Docker Desktop 4.5.0
 2022-02-10
 
+### Security
+
+- Fixed [CVE-2022-23774](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23774){: target="_blank" rel="noopener" class="_"} where Docker Desktop allows attackers to move arbitrary files.
+
 ### New
 
 - Docker Desktop 4.5.0 introduces a new version of the Docker menu which creates a consistent user experience across all operating systems. For more information, see the blog post [New Docker Menu & Improved Release Highlights with Docker Desktop 4.5](https://www.docker.com/blog/new-docker-menu-improved-release-highlights-with-docker-desktop-4-5/){: target="_blank" rel="noopener" class="_"}

From 77f5bef236f7707cf9523b7414d1c693bebec70f Mon Sep 17 00:00:00 2001
From: Kelvin Tay <kelvintaywl@gmail.com>
Date: Wed, 23 Feb 2022 00:07:46 +0900
Subject: [PATCH 2/4] update notes on next-steps for CI/CD best-practices
 (#14289)

* Update best-practices.md

- added a link w.r.t. to Docker Hub Rate Limits
- removed the description around "recent updates" since this may not age well over time.
- split the sentence into 2 for _hopefully_ better readability

* Update ci-cd/best-practices.md

* Add relative path to link to Download rate limit

Co-authored-by: Usha Mandya <47779042+usha-mandya@users.noreply.github.com>
---
 ci-cd/best-practices.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ci-cd/best-practices.md b/ci-cd/best-practices.md
index dcab0879ad..dfb27912fc 100644
--- a/ci-cd/best-practices.md
+++ b/ci-cd/best-practices.md
@@ -36,7 +36,8 @@ The other change you may want to make is only have your release images go to Doc
 
 ## Next steps
 
-We know there are a lot more tips and tricks for using Docker in CI, however, we think these are some of the important things, considering the recent Docker Hub rate limit updates.
+We know there are a lot more tips and tricks for using Docker in CI.
+However, we think these are some of the important things, considering the [Docker Hub rate limits](../docker-hub/download-rate-limit.md).
 
   > **Note**
   >

From aaee0f1e838e484d9078c6de05a7f890395c8c52 Mon Sep 17 00:00:00 2001
From: Usha Mandya <usha.mandya@docker.com>
Date: Tue, 22 Feb 2022 17:39:56 +0000
Subject: [PATCH 3/4] Add onboarding FAQs

Signed-off-by: Usha Mandya <usha.mandya@docker.com>
---
 _data/toc.yaml                |   2 +
 docker-hub/onboarding-faqs.md | 111 ++++++++++++++++++++++++++++++++++
 2 files changed, 113 insertions(+)
 create mode 100644 docker-hub/onboarding-faqs.md

diff --git a/_data/toc.yaml b/_data/toc.yaml
index ea4c7a7c5d..b22f6e0906 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1302,6 +1302,8 @@ manuals:
   section:
   - path: /docker-hub/
     title: Quickstart
+  - path: /docker-hub/onboarding-faqs/
+    title: Onboarding FAQs
   - path: /docker-id/
     title: Docker ID accounts
   - path: /docker-hub/orgs/
diff --git a/docker-hub/onboarding-faqs.md b/docker-hub/onboarding-faqs.md
new file mode 100644
index 0000000000..c58fd06d2e
--- /dev/null
+++ b/docker-hub/onboarding-faqs.md
@@ -0,0 +1,111 @@
+---
+description: Frequently asked questions
+keywords: onboarding, docker, teams, orgs
+toc_max: 2
+---
+
+### What is a Docker ID?
+
+A Docker ID is a username to access Docker Hub repositories and hosted Docker
+services. All you need is an email address to create a Docker ID. Your Docker ID must be between 4 and 30 characters long, and can only contain
+numbers and lowercase letters. You cannot use any special characters or spaces.
+For more information, see [Docker ID](../docker-id/index.md). If your admin enforces [Single sign-on (SSO)](../single-sign-on/index.md), a Docker ID is provisioned for new users.
+
+### What if my Docker ID is taken?
+
+If you have a trademark for your namespace, [Docker Support](https://hub.docker.com/support/contact/){: target="_blank" rel="noopener"
+class="_"} can retrieve the Docker ID for you.
+
+### What’s an organization?
+
+Docker users become members of an organization when they are assigned to at
+least one team in the organization. When you first create an organization,
+you’ll see that you have a team, the **Owners** (Admins) team, with a single
+member. An organization owner is someone that is part of the owners team. They
+can create new teams and add members to an existing team using their Docker ID
+or email address and by selecting a team the user should be part of. An
+organization owner can also add additional organization owners to help them
+manage users, teams, and repositories in the organization. [Learn more](orgs.md).
+
+### How many organizations can I create?
+
+You can create multiple organizations. However, if you’re enabling SSO and have multiple organizations, each organization must have a domain associated with it.
+
+### What’s a team?
+
+A **Team** is a group of Docker users that belong to an organization. An organization can have multiple teams. When you first create an organization, you’ll see that you have a team, the owners team, with a single member. An organization owner can then create new teams and add members to an existing team using Docker IDs or email address and by selecting a team the user should be part of. [Learn more](orgs.md#create-a-team).
+
+### Who is an organization owner?
+
+An organization owner is an administrator who is responsible to manage
+repositories and add team members to the organization. They have full access to
+private repositories, all teams, billing information, and organization settings.
+An organization owner can also specify [permissions](orgs.md#configure-repository-permissions) for each team in the
+organization. Only an organization owner can enable SSO for the organization.
+When SSO is enabled for your organization, the organization owner can also
+manage users.
+
+Docker can auto-provision Docker IDs for new end-users or users who'd like to
+have a separate Docker ID for company use through SSO enforcement.
+
+The organization owner can also add additional owners to help them manage users, teams, and repositories in the organization.
+
+### How do I add an organization owner?
+
+An existing owner can add additional team members as organization owners. All
+they need to do is select the organization from the
+[Organizations](https://hub.docker.com/orgs){: target="_blank" rel="noopener"
+class="_"} page in Docker Hub, add the Docker ID/Email of the user, and then
+select the **Owners** team from the drop-down menu. [Learn more](orgs.md#the-owners-team).
+
+### Do users first need to authenticate with Docker before an owner can add them to an organization?
+
+No. Organization owners can invite users through email and also choose a team for them to join within the invite.
+
+### If a user has their personal email associated with a user account in Docker Hub, do they have to convert to using the org’s domain before they can be invited to join an organization?
+
+Yes. When SSO is enabled for your organization, each user must sign in with the company’s domain. However, the user can retain their personal credentials and create a new Docker ID associated with their organization's domain.
+
+### Can I convert my personal user account (Docker ID) to an organization account?
+
+Yes. You can convert your user account to an organization account. Once you
+convert a user account into an organization, it is not possible to
+revert it to a personal user account. For prerequisites and instructions, see
+[Convert an account into an organization](convert-account.md).
+
+### Our users create Docker Hub accounts through self-service. How do we know when the total number of users for the requested licenses has been met? Is it possible to add more members to the organization than the total number of licenses?
+
+Currently, we don’t have a way to notify you. However, if the number of team
+members exceed the number of licenses, you will receive an error informing you
+to contact the administrator due to lack of seats.
+
+### How can I merge organizations in Docker Hub?
+
+Reach out to your Support contact if you need to consolidate organizations.
+
+### Do organization invitees take up seats?
+
+Yes. A user invited to an organization will take up one of the provisioned
+seats, even if that user hasn’t accepted their invitation yet. Organization
+owners can manage the list of invitees through the **Invitees** tab on the organization settings page in Docker Hub.
+
+### Do organization owners take a seat?
+
+Yes. Organization owners will take up a seat.
+
+### If there are two organizations and a user belongs to both orgs, do they take up two seats?
+
+Yes. In a scenario where a user belongs to two orgs, they take up one seat in each organization.
+
+### Is it possible to set permissions for repositories within an organization?
+
+Yes. You can configure repository access on a per-team basis. For example, you
+can specify that all teams within an organization have **Read and Write** access
+to repositories A and B, whereas only specific teams have **Admin** access. Org
+owners have full administrative access to all repositories within the
+organization. [Learn more](orgs.md#configure-repository-permissions).
+
+### Can I configure multiple SSO identity providers (IdPs) to authenticate users to a single org?
+
+Docker SSO allows only one IdP configuration per organization. For more
+information, see [Configure SSO](../single-sign-on/index.md) and [SSO FAQs](../single-sign-on/faqs.md).

From 982158dd3e094f80869f145ed72a406abb837c98 Mon Sep 17 00:00:00 2001
From: jerae-duffin <83294991+jerae-duffin@users.noreply.github.com>
Date: Tue, 22 Feb 2022 13:05:07 -0600
Subject: [PATCH 4/4] updated SSO docs (#14279)

* updated SSO docs

* Update single-sign-on/index.md

Co-authored-by: Josh <git@technicallyjosh.com>

* Update single-sign-on/index.md

Co-authored-by: Josh <git@technicallyjosh.com>

* Update single-sign-on/index.md

Co-authored-by: Josh <git@technicallyjosh.com>

* Update single-sign-on/index.md

Co-authored-by: Usha Mandya <47779042+usha-mandya@users.noreply.github.com>

* Update single-sign-on/index.md

Co-authored-by: Usha Mandya <47779042+usha-mandya@users.noreply.github.com>

Co-authored-by: Josh <git@technicallyjosh.com>
Co-authored-by: Usha Mandya <47779042+usha-mandya@users.noreply.github.com>
---
 single-sign-on/images/sso-attribute.png | Bin 0 -> 16437 bytes
 single-sign-on/index.md                 |  25 +++++++++++++++++-------
 2 files changed, 18 insertions(+), 7 deletions(-)
 create mode 100644 single-sign-on/images/sso-attribute.png

diff --git a/single-sign-on/images/sso-attribute.png b/single-sign-on/images/sso-attribute.png
new file mode 100644
index 0000000000000000000000000000000000000000..e7df04b95d9d615a40b205014118df115f38309f
GIT binary patch
literal 16437
zcmdt}WmH^E&@hS)5FkL1gail~+=DxVhv4omA!zUchT!gy!QI^<xWgn626y*lfWcuP
zNYKmke)p_(&j0hRd(N%ZKYH)#+9h3k@9wIuD0Njid|Yx|004lmATO;60ANA^0JN>=
z7*BU<9h6Q101SY-vbN0AB@GQDJv|FEGdn9Q7Y7F~503yJA4pJ81OyTn5s?%Zmy(o}
zk&=>?mX?>5Rg#xiR#a3~R#sP2)6&q;(bCe>)iu=DH#RghF)}hUHvVL4`q|vv(!#>V
z%F5Qp#?IE(-p<a^!NJ+l(Z$)>)y2il&CSEz{VN3G<>BG=^{cm+m#>eHzprnApI=}=
zKyYASNKjB{NJv;nNO)LSWO#T~L_~CC<Wq}`j*g9qfyTzhL80++aq;o-Nr{OmNl7Wm
z$*CzRX=!O0>FHUSnc3Odxmj5Sxw-iT1x1C0#l^*?B_(C0rR8O173JksB_&l=Rn^ti
zwKX+0b#?XMzc<v^H#9UfHZ(LfHnuc1wY0RfH8*#(wY9gmcXo7ib#?Xh^z`=j!g_mu
zz+inpfA;nF|N8Z7U|;|ahYt-74i60t4-b!yjEs(sj*X3tkB?7IPEJiu&Q4Fy%*@Qr
z&d$xu%ui1*%*`z<EG#Z9EiW&xtgNgqFR!nyt*@_dtgZdt-2D9n2*lRb*7g%1k;vWM
zz5V@zgM-5-I66B1A2>NZMWIk<XJ_Y6@b~Y<6I@<iUR_=P`}gnW=JpBh?(XjI@9*v(
zZtou-9-i96<KyG?&BN8r!}-+%>hk{N@BQJ~-5%<0=lFK(==RUS?Z)2C+V0Kr&dogH
z-}LW)6C2lKYuCdoSMa5)zJ;qFbC*4{mmO0VE#nvUBY(dSo!1PWSHsV%2F^?S&I({>
zxjm??uG94P)8y9E#Fmq|#*@gp<FM+Z;Ho44@<Z>ELyw{Z_kw-5f&*~gzC-rDO~#&O
z+OApBu3<b<J9bAsdPgaITP|cvCTL445FzS|5b^mV<n>3u^A8W?H>cZg4%f~1E}P8G
zn+y&cG<F+Qw(CIab#lvfGK)2m&udOjp3cr*E-v0+u#c;&ue-bd*RO%z-XVT|;Xy%B
zp`o#nk?}DxNl<8NLPADza#mVeZeCt#W##wU+Q#qSn}7Tm93GzRni=N@07Op}q(5kT
zE*~zB*#oVBFfbG2n{V?W>Zc{2ID3ryY5#8h2!AzL5{&&T<VQ$YAU4jC1a-7-h*&Wt
z-_ll^0H=L(X_VAwrKBeP<~J(?Ed#}l4vizK{sG|=qr6!PKZl)6uUgOUB|lN}OgM+*
z_zv}m0s!AX00262P&C*x*B1cBcnbhm5D+5}XNwG=ObrKoLI+_1hzGd=>5~8N9#Rgz
zUkZ9tr7hc4;BXmAkJVW3ukhEZF(h$!+}fwO9G;UxFn%o-l@Mjd7_h4<*B|aZos*lV
z{?gUh&v9awD)IgDt>=s!`fQUyckAbr%;d$$%JpRFa?^)8?x?%U%A!9xS`;rQPTpJ6
zb5~RbD6zSL>Jol7`zy$L#+)yxUguO~YwrXkA&O3V{k~s>aF*=2AL9mZvR4$6uHkpl
zNV2nLA@-P4{QiV>Yz5P^kIB4YPq7f=jOtVZiC@H#Y)AZx)8~<B%K`Z}i#Hg}@4Muj
zLnE6OL>jz03_Y;cYw0wNpn_NjW8gEPg%gD<J=-%7!6mMGpDt2JLYI#@;aL6S91BV+
z2i*I%m#40>?^o(NQJFT>Ip(Wj3`jgfZ_I=&{vpbz(p>j05-jL;ruzXhaMHz-N|rKQ
z%>*~W|8S^fFg?Axx=Is8=Y*<Fo-}1sv)`2W^4Bz=k{~a>yiz<ow??)lC$FE8R34&F
zU?%7)=!iD^t<k9Qb===dn-b8z+Y?rI6o;4Su6xbpkw8?t)a#TEZRR$7mE0<k(u!Mc
z`8PTJwVh!TD3z}dfzmfSIwz4-2`^C<1U`RqY^;vvvk_P5C;SGQt#=nrNk)h9bMr|S
z5*69dh~VwqYem`!3?%VCHHgvutL{R)CQMZXje?F4gxGEM!n<3<^Ar!wPPZL6VOM}m
z-H(@^27av?ze$BwhJVzgh4<RKx-!nLTp@sYn(V%;>yoAya6b4rRi#Y}C%hBm#2i(b
zgFuE1()pNrcW^`ki7GOHC+<vQ^Q>={Gl4O_Br1L~ftfmt@DL3x_<irs5w~oO996@8
z|D9rK=mdxDBGY*Be&|F!>t7iKX)WjKL6pwigX0LQ9v0QNz+qYf67Sg9TRa4Q#YzbI
z<1YGUV}-jS1sJePWf3-Av4>b4yk!@MCtw_x7w82VKC$6QwJ9#k$9tvV=4${cT$~oE
zOjF#x);#mtFk!d!g(9`plr(zxf1UveW%QO>fUVC|jW)ZepZHt~h`^768s$Fc;0K+T
z&MHE$+TC(fwgoKgN~VDU-F+0g7b_mH@al0eEz|nFP{K@Q-zyx5lbzlEpFFR*4CVTg
zjnIy3zbIgy@vPV5hjkqk$aGR&6Lg=J<M#ONPsg9OV-9-+sX)v^R1}RvBun_&d$btI
ze94ggZS$b#72nt>*~6q>X?>vYY?1s?kAse#aS;N6Z4kYA&VZ()fzW1;SKmf`3?sjI
zsm;KG_HJilx83b{bS<O%?4#p{+MV+d<T`4d*9L2^@1p%HQas{1{j<MprT-~foVGDs
z{%to@gSsjwa(Y6YFp@4xT8e09uZ?gns-JikhbdAuKZt-6?KVyHpR}0f+^opXzEC@3
zYLb@W97fi&Dcm8oie~Hwd1;$MHVF~K2OiPcl7;%O(T8uG0Y1c0xVL=Y#L#J*?R7*s
zMRe=mWU#F8jb<k2=ylxCr{n+4f?BSPX5U?-0h}L-X*nN<_QjcRTHrAaxMdCsL7Sbc
z-{wJ6hlOVpJ9vkt++m+<MAK1hkaij!ks4-usim9ozd%)IwzpJK51aTOwf(bq>P2?-
z#ulma;!Q+5-$ti?JGU^v)JmhoMC_;Qy++bff2!tbg4P+%lLGultUgs({JQVW4l1%R
zZmbq@w%R8%o1R@Z9qcT27qwjr3V$|A^LoSgc^uUFQ*o>*y!TbVV)Ywo{Kz>eEol5?
z{KuV1b600$qO7)2RCE!d#lf8TOQ<x_3bj|Zq1q49sB*V)={Sr`tPfirL0&3hlMYxe
zw!!MJ`K*hT-IH+{wec0EIcVc+g{o4Yw?;3U&m_~O4|1ZNny4;qKRX=hl7zo5NY4o^
z74!=k&W%j!v(D-JQT|E5s&p)FhA&kmOP?{l*|%QjXThsLJ$P2dTNz21K7&Qk3jez=
zvbiK?&%kLUf8%QrC*oMiP_Mpz_7G^DIz*piYb{(v#NUO4<Er{Y9Q4s!<6GA+kowoq
zCk5Rwr-nJ0e?+<)vnUHgpUdoW$rd8`JKlk?RN~@8k%Au)GvJ&_O9o!YC2`X$J(!01
z;!xdy3IvP3uDGNHTM>>}OUmNmm`o_?#AIpXJNW!U;Q82RHG<I?u7kxVk&UQ<hJfNi
zDJ@J-$SPx9SYTlNaC|d@Hzbvxn#SO=uZF^Gw|B(Ke4g8x>A|EFiu!i3ne)zL<mrA;
zU)_v7+@|&}qXS8)dnCkw$^8;$5iGPbgA$FCUNO)%H=pKy`QF;%wS^ExYn7o(xi46m
zD5;=8IbHqtXiZtZlx<5<nxp<t5zd_(Ev#H3>EAzbMP@KsaNlm5uh~KHX01}dx4wxG
zHk@z7iKw@v`izl_4Q&(w490d9w`30Fp(;>bngx)wg~#&mr1f$rRK;ScNm}UefwLjO
z&F8(IJoHDAh5z#7P{Sul7@d_o#p93ZJA6fWqFczki7f>JWBT%&GKE>0Oix`+P$LxD
zoA2*^%31Jn)9t;QC>w>d8>3#<vwB>~_ZiCJ<=s$dcRtmG22%{w#88_S$i8~AfC`?0
zp&2>e;tOBOy-z$60L%rKN9@?j+kRG|?noN)3l@?N31SaUpTRF?RHxg><MBTpjb1so
ze5MzM;sB13CQfVF=Fvyy07!8DkOIi9Vz-Y?YOzh5!&bL@C6)J$N@X}=wSQRUm=3Wv
zQ24ycv46(RvAw09{Y+K)&oeQNW+=Wzf=%mw5a}~+G?=GwcxFz(569CzA*rLj=g-NC
zUQ{6JY_GW7;&$3=q3zMAo&(MGVuADui%gS^G9nju-=OI6laThoyak%^nX}ElX_RGd
z^?ReOK<<-j7a9H|2$47i{6_MSs9!1s>X!h0{+Sbyy5b<|7T;B9@C?@3Sm>poZTS^r
zGx}?u#CDsJPz`B64#cg1KJfn7@(l8!8ttaIJvYn})a;tm8QaJ5j_)6*`tGWRmVyc{
zfoN1N<`B)j^m|Xm36S*ihioG00*Ut$stEmgaI>46IbaSIxd<q~(}R^Ej1Ac2Bw=J$
z%oJLn-zU`inR&$r*H@_!-n9~&p62JhQ1A#XM~84~j1LAWwHH$4fi{XDD8K-NPyr4P
zyS;*BP!ph&>B4_iQ`bS4YDDc>$#vnzpxWjP=^D}EB*p&F9eCh;ePJiX(F$qWHtrvl
zfMIhx)tZ#q=Y^^jE|l4GEqn2?Me~}?sqJ054eCT?vnB$;wj}*ZJ$NqNVmAJccwO2Z
zBX+EqQ-I()lUk^fxfVy{4A<U&FPO+Ur8>j&#ioK*ZVgkmkE6kA@TpH_Mlk)I7XDMF
zUsP5n>yU`AsEV5h-U<6&)df^%k0Qpp&!=e=gTFyo6{1z)Cq`b+*W)vlN^!#62!bDY
z!ALKbla4|vI*TUZhXiU|5=GoFk=A#z@M_#%=u$NEwi;m>;@{7YWa1r{q7q_yToDNc
zh^-DBsn65kv{TKJrWVS?@15T`(k|LQdVbmI+=^8thjf`RpH+1N#(3TBa5k0geLf}0
zjD1e|$o|*DIYa?oTJNyTBi~|2AvpR1M<E{(_$cCJ#PQY7*_|$8JpeB{z;K?S#$xGd
z&!f3II?Ek#5;4y`t_A#+vjGr()++8T<m^83#`I@dkU3-&_iR@m@4{!6z{}m(avH_=
z8*}e(FsNQ$CGK9>Df;<9F@o;rh$eN##sRT4H>(dj#yk$^?d&+Nyl|}Wz~|pYhO^jd
zRMSx>7?oJb_@$v$k_skQu$W-aH;fcn1Fp5a)D>=d^P)e<Alc4orx@r1%w}F&aIu{m
zt6VhRJpFka&7ZBX$x<A6iSV?Jka3C~gLuO+S_||MEvr%RL_g6duNNOiT)45m<$DoO
zhrsx$#?F-uZ9kgfPIG}cY8|w3J_$Y3GGhGGWp9O_e-`~0c`f_3yYYk%ajBk8hP$t}
zr-ekFcH293;dOLd3g<s+oxsgbwr8=z*888=mj$%8le4+!%4X41K8iV1dXYO#*Mr&4
zv}H^Wgx-)Q7TVb3sR)lZa1s#_acOe+dDcAgJdDK3!r%OyK)_stInWU^sF#b%nj_}5
zD}*>nP}U{hj5}pjUu1}R^T6f|xPW@TEYOjWqU>2cMkbAWmv(n3JC5wewlu8TLIyrB
zqd2tYviOJO59xDsWdeStD&YK2>$gb9>H06#0yXm}jt|mCXj?Y>>CWe5=;-K_EJc%G
zHGNecJ(0m&A@OP`QzoSAWnz-6Eeqhv#DS9x(v{FEEKlynY6NR53Ge>ofmgU%hEQz{
zuAeNnu-xOU6f-eQBbSBO1TXf@b7X5s&{Fia`~eXSy%Iw}Tt|Z}8*AtIDp=e#IcY!B
z>bWZm3&is8U%#~>G%l;qpK>yzrl#JU;=!d@*qsw8Z>ZBhlK&hu&keTIr-(56?eIqh
zFsOTL;ltPfh0u$6P(~gD?PPp@t2<#=1r@W87>TUo42?WmpE#Kn4*vl_&)qa<$P`%Y
zSo-pp!7H>aRv`khV=qdW;>T7$L-O8#iFs}$|H>RPH=p^<qZ;h{`^4;M)kl<f{ea7s
z{tDYq!Z|y_XF|-)%(tC4`)wc7k6*gI@$CHDGa4}@b8n&H9cx_hhkc%2a)NH3jt|g#
zwBzQOLCfZjD?a83osbTo<C>}F+%Ov0`ez5ijL&$9QUOY?YLnx4u+!E-X{DYm^&W14
z>Ldd!Ez3f+NWT*P`a-yn=K5Woc{KDSpqY~M_078-{beUM<u~*Vujj`o$UD~=Xy8!^
zcjxe@9n3LtnOxNlL+azrYM4{PzRcfXp>|3^CX?4?_TCp6col9<&a|Ly7I5at>olya
z{*3tn5albI6U6kY0@!f)!Zlk6RxQ*?wYT5cC3J2$x3e$@+UQ@2Rfa+o|5P!n+;duU
z-g1@6;+MId_dwiyjkAAif+cCkkhkxfzuo;zF~y9pVMi|7)W}rLdxTjzMD*j}WF<m!
z@ZF4O%2a!w(ZGiiOn2x{7aDToJbuQ9L%lUF632^6eFZKo5x~0R6#Ri^Q)m*l5c|8s
znarfQukToWiWysXk@2hSVs=6~dwvJVYbFIRDgoS;4UH!oc|$oFNwKb93=K_=+5PNj
zO+>7k8(jTTTrE;Xc@x|M%Veh`Ksc@wkfJ@0rOjyXkIlf1WJpBq&7acJu4y`*u;u}f
z2gz#9C;fvRA+Nwz>=L_)>Urg8-m-*W1PT2o{r@JQRwf6*;Tkg_)e|EL_+x~E;F|MN
zGUDZ<TLqw@`2vV!XeQtP0t7%FmQO7H(Q_PJIsOhlPJTpmucaeW=S<BaoLR|PJ^H`K
z!C4!6v{j&6qY*-+JNy;CEuf}Sq%*$kxr%wz+1j;kZL22e&Di;BDT|q7ioVY^c;qxx
zpv>*COC%|25v^C{NGDYas)bGFoS=W)8SONyYm!~KecpMeB!sFIm<`d8kZtv0`(I}2
zGrr|J>l8wH-ZC^Gqg36aw5EI)%U>V)NugOf+&(ToYW=&KPkE?+Y_j{ZHJubKaO&;*
z{c#|qa31CBemV_{i(@t17~Z=0QNi!HxpxZN?wo+c3}4k=5Z>R!Ihmj)sumbc?T5>S
z<Vg8ic)*CClg=eupF7X4B{v4M1>zT56VfCIV|%B@C?S!&MF5^u6KH|AkZ&U=`<5rt
zBzce!m)d?yNU6^7S9^{X)aO?n@L4>+Yj%a;E&JB>rU+&{$ThoWE(^P148^hs)B|9}
zBSur+8|-*yym1PAxwTk2Or@%U<}3dH2XUPLZIP+(IlzFqEk4f5*4<-wX7Od!oN;WE
z&Q*P{`|4~r&UTd$qhr(KZpJrjA@JAV?L|Q1?-Ts?$71BG{uCWe?)kp2C%Nb2`1+NK
zrON9{;=9|4gh~z=2tOBRC&m1rs3FLqq1~0Q6(K+R8u=}dAhLfX{6lDXl=%x%`k)Vd
zKe;m0zr7B-jPQS$%gLExVwcr;uJXmxR3fK%FX=Mta*gRI30+iAk)LRqX&u1dP<>>N
z0PXCMTv?P2PYWHi2*7WH7#w|2fJxd7Iqco<pq8^SM%U5V`OE(qpcJGu!DMP@zoh`3
z101H-QGNQcvp6i6HH11&VLyVarj&q>(U~gPlQ=<?Sm{YfE_IeH3)T$>KDZ5<YTc2X
zYvFCgK0=Uj+aOk&cIsMQ$pkKuNaFL(o>N>)vAVJTW_NC(p@DC_LZ1Hl_~TW=fg^lq
zzesOqnw6dTa`P;#+*F$OW7J|%k{o4M3g3!>SpdYe=hu%s!g+x!-(-89S1g#`bP34i
zomXg^vNva`#*N+V{1-I|%^=D+>0J4TU*AQC9vYh?3<s<XK+RLYjc#<V<fXWFTwjQi
z>l(KAFxu`UQLd~P7KLb<rIk(g9GPFD@F|5#X38-EX3$%HfCU=B#yAbl#d}M!1;M(T
zq#gBg+T$zmoLLU7P_r7%Y{}gkI)XOT3^yJn{SEs5eq^`+A1U+_J$TAp;=z@RAmeK{
z7@8d6dLIQ=($yVkXN2dF$&D#4pnq~b+{B@TBfC<y@dn)ex34Rx%opBLv;D&5j!s(`
zK}o%2!G4mt={L}R9j$Waev$BXZpX|ffVh<Eu(Dsz6jz;Q&l&rAPr(L_i<<Qvq6<iX
z5!(0L=0R*^TpKN$hc#iGJ5=#h=MA7q9s#&ru1iD1E<XSL9V7JTZ@1;+S0D0?YH2q~
z_sBPa`{HKLjm?<g^{?{%Pt7qW=|_fhz9IFm0KzH~g=o*&6z$MEMmryB|KbL|WkG+&
zFjssD)`IyP7?2}5o~IX?@hN$~;IeQ9+I1{69wM((W^vTdREN$bYusP9G4F|~$LmRK
zD=-C~FsNWimneSHpC)p#%>lMzK-OU`mvZVOH?cM2^#thS)l1_HWljW&Q%vlzc5Mm8
z(W?7U<6n}-+|=I_J7}m`l@NR&N`NA9sTT4+MTk-DqaD2K*(B?p*{8bVuYT-Ripm$q
z=;AwiP&oiH#2u$R(Y~kiqao!1+VK1k%Jh?FZ6hp}jnzgV2~mQc??AwuX!BS8W$sLc
ze|Ew_?7zguSCRIa%IC|d20qm!M3q0-q!)eTAL|>2X^_8zDobw?9&?(p^NJKfuD<`a
z(A#G>_hqvT6AoG|xrq>0Aoa)A|9Q5>J({}n4XX4--(N(uF=^n-_R7Gv@WH?GBBrSW
zUtCw8ucjK$z$gPs$V=SrlxuM%GeA9<@o6AkIv4#q?mR9O9ZVR+fmN)-lap$-JzDBo
zZS5<wlT5_#Nb&aGR`5Pu{>p+Zf0Aq-npOhN1m^v6cx8s}bDxsQ>nfTvT%VMI&<*@U
zb&`fOhsp&>7UC~5EhxT`l(By#b-hEARIGk$S@oZsX^87wcZqQ{>~*EM-sw2f9azdM
zZUcjNWkcY1r9BvuH3nbqfp9>X+H|hyD46GYY<QrED?ZvUUd=;Z5LA&IBmQ+Lt=IZU
zgX<SJ(7Y1%OdJpO`-*?8_xj*`7nxe6*%$rI2&*sIjPNAMAJL##-}4n$Aew4sPSFrI
z-Y{WVU?0F#FDuYgp*J8A!F8HdED$&=YBqS0te&>Uq7P~s0v-sIQepZt4gm8#7*N0b
z%PECgDlH{okse)a-)6S-OC;AC-0`Vz96`tE1oBaafqR~n+bWIc=U%5wSvPUro%dh%
zaW{o>jVANKyl(HH{S3$34gG9AMwhOfgM~P;qijOz%EqPrGHcH(EW|a!qG$~hrM#v#
zHm*8L!VD>wgNKgAkn6Ig)|f#)#{PMsxjyZriR+=x!yv!5V*_~B!j;G-s^F6-SC;e6
zwKf-JXGnr}G9vf1RswzCr_v+4^sB}hU=iyveCU&d2za$o+{Z_Pkq`?JRO_KOA+kO)
zvNVeF^kjzgXHUk>yJn-%sr;vY8+_sQ`kWnci;FE<M2L2qy+2Oun44g?(>8JJgB9p&
z)3)L@h}U#5RZnjV2l-D^ULZ8P2q4p;zmM)=o>`=zvu6!*X^j~cvHWV+XzV*=a$*Nf
zq&FCCx0KstWukoo5FP^5UJWQ$4A=|fHl4X0jA>d6m3M7PLbw<nGwFL|)?)<yNG84Z
z+}F_KaxakZKR9vzb9HtUdlO`I87Fpe;nN_{)Oxw=O6jyiwr63woByrnUS&QF<-1oe
z1ZTPBiC<Fdmb|^%{Ra~l9ypy!CM65Kb?L){{OE9-#B(=>>s6eZigUAO21OBYo(?IW
z_ee<mew%kPpCui0IOyc-zIQj4Yi2!_*coDT>pvqAdg}p#V^8FE8o)f1A6BmdDl~uB
zxgpC=u`;MQtx=T~N@8NY5BLevN3u{E>8%_VI4!NJ`cpSM9~cuU^Z`Wj5*+NxM*HX4
zw!U;f&TxHXByqCE%a=^d{~HEIWg4ql1XSa1)6jBgL5Y*i=r}C`uGzkQlm?apnaWOs
zxA>bl5VtxGMr&8Rl2L5y;gM}hAk}fDhU9^OgIdR*ZF0Kb9qqTosNcO%!i<b;Oh)vJ
zp6^LW;tg5>PSP#%6`drdvrB+XrD=z<teK$k%gf_Wm7sAHM#GDj;8fS_bgMHO!%wbv
z1b=`<QV%#U!6~lU$zK|R2m57fTK<vgdb_`Bue!Ji0|DHMii#{jZ8<y<jGx$yovQi6
z&DW^9LspvyZU)$;OY3qC>|a=!^SOyi3Q*J5YC@BEq%Qjm%gl{HA8Va>nmnoGd3AXs
zDq9vA!iV364ztN@=x51MZ>aQ90Zhlh<H+~Y{W`;7O^(DOuKidCY0%}D-r*%d<h6N%
z?j8%em0Qb%Bw^rBp0`I(>hXGw^&!Rl$V1|7A(rkfdZ{c+F!QZDjEOS~h)qu1)~l?`
zEg>Kvn;NpRXAR9u8JesADW76Iz63n~MJH-T6La~`?a&OSoKpQs3Ce0XLJUrS(i-B5
z7G#hpNJK^(gPDaOM|X?adSPlX9OGup#EJ=MXK?M?X%iy7hiT=@deFtwkk&K6b#91W
z>aoBTqE>_?Yk!u<FC1F_LYKmKC37AGv-lg|cZz93%X0J%@8IV_UetL#>hw=U{5*Is
z!O2eytx^FigOvS7-KFhHT($8wr`}MvCK_j_6olx)(7Wd<c?O?1H$cY(YOi0)Ju#`6
zj*}(m+l^Z|(EYS3U{tp)G_xufmCXyvl`9t+Mqzz?m<O)ZJUKy8GNO2P5QxsY^@fad
z$a~fpLDC+*;3oQk<A)*rx#Uv#+Rh?@FZby+)#dSyU?mSO%yT_PgOu$B$G+Srnh&o&
z8h_HXSS2IoG7SDEl8D8nO(#z@8A?dOPIG3?g3sQP{42ZnM0sToJM~q+(MirY^{Be{
z%K3PAT^h2r5TA)=45a21-a>bN1nMc{MW@!@YGb~yOtZRp6Yj5267<kHwc5e=qLk|E
zj;Es0KMK8^R6h8O+K#7mGl|mYQZe|sFcUyZ1{&k4eGy^pexlIVwI3$yc2QcKsxzTz
z1GQ4UNGw(@=kVCMj@<WCFkZL>PV5%~p1%Qc4FB8FLd`bqC+r|xyQfxnuIf!{DjryH
z=9bD_?@IPprEh*$?@x^buc|nP?8cgxhrx{#BmYalRzpt3Y|R=!kDV=yIm40+3lq_s
z1DN}brmLMmg^QV4KywPBGo}&`gOqBlWbJ4Wy!>yu=z#Rt{&V}uasbG`{3h;yL>QGi
zC@UtkpHVOv19z9=<LM}fO@>G5LboroYYo#A$ANkW9d-)DOokvQOFwNuXf%*?Cw^b^
zT#Yv~og!I#dA0FE*1=h^ufGUWMR~Z!8fxXKp%w5=sj`;01}JFiK$)@7Ke{<P?VfqP
zy`wZ%CU`M&fVLF|B(-+EM12KrfW){?wR9+v`j*$Hk}|o7;mv|;LW7ZJiwI7oETfCR
zUx1R|2f<)y)%*=p$yoV5<9eRE3Df>?-NLhASt#CYU1bPpyRB3>zz7f;10?<OiLn>B
zKpBe{7?^;NS`+io$(`*65}tOh2Eq~$lgi@0ZBeZ;Sf{;DDShhaPg(rnr^NmLEuHW6
zz&Ksq&-tvn?~A6PVbZDsjsEM7%<vSl-NI<mZ(-8V_nJ-LwyuqVgx_>9Wx-ODrNRQQ
z;YfO3l2=DB;LTAN2f_GTZLjK1cTU9}JS-HQ9T;vgaPguDS`g$$EO-Bee4uiO^zEyk
z-?<qCN#I3^ICxR20|>?Wy3K{SMr7M7LLA@k4$4FLR(|5<G*d&~#vf%QC~YQCxD&Lw
z=>nyz1ApEOg@#Ep9e_&?^vVxGP>Y9|e!`i7WF!6qz3~4*=-@Y+T26qc9;eT^9F>QD
z)i-(GRe72(LPvNGFhJvZjuyk;fPMWQ#;FEWgWv~;cUn$cWQ;9{hS3{I=(){Gx+@)=
ztDYjwY98A)TViD(`5h=c>ZpyaQ9K@TxAY{#Ah)su+$!TD2#B0$;og>ontvAI7^x=Q
z5(;Sf#v<tYf_MdNVC_c@|JUfK+@4^O{{K4Gy-4R#Y>mG)d^u5tVt*F&H2$_1mx?cS
zFhrZCZ4~ZO7_5vjFSGx{p@j>2^peX=MYwWB6UYl}Fkm>#kIXT9Yjs%by*5eCWhVC;
zu<5WDjb2YVJf_FH9FA;q_|_u7kYM2e>v(sb>n2yc=Y#Z!HZv2tswftBt*CLGYHzi4
z>>EFdzk8N|aOAk?IsEFBCpwYR?GvZ;lt`~P%k=;1l;u9=f%H#a$nJcIop4_$cUxgd
zK*jL<e&wt*GBU34-}5E8K>jR4PY1!MK*uga?Y1_~CxTC*vSc@^7<pFsv5ms@7%C_?
z*W7EF069J)fOM+<mys$a*4baC3+46KU^L#(FCIj741#HJ$55QNmpN(uTfK+b_gcgY
zlmp16P(VQ-wS3JYdXEc>-IQUwzRZ>*?)w+7HNfhXzgjB?iEPj<4^Ihjg~%imsm|`I
zu5#TjpDn6<q6zZB`*)X5la-WxpNqUjwb?&wV9~d;^ZqFWRHb;t(bnLap5+_8UW8;f
z%ks1f*8&FGGVowPHS~nG30t1u);vooP<+s1GPISU1o4RTs6}DlBeYlDSAj6i4<q=#
zd!1gu*Mk&xLLYqZ`A4+qU+*M1oOBRBL3z*9D6tg5y@6fZ)8SPxr<N3k#7}AN{-9{>
zcR~lOseAi8$=I&b7=m=plzynL>6)7O_-h<;cs1to8<jGWGsB1DZe0E)i{@f#4yotg
z-Yc7wQoE0*LN_aY<D6^n-zoKB5_vm1>9e7<Sw3MYyi-23bIy)<RHg_x``43r<A7-&
zGKO?oH7giWR+=lBkE7QS?t5`7{P0|>e+F5F&2gigDv!18Ol;DPN8kH*!PNFJE;91g
zw>60O(Qm3@78Umu&_yk{yXZwVx#8JU>XSn9dH<S5)ROn?NzJGl1kOgJ0eT*1F{S9;
zKh2m8@s~>rXs+8baFO?g!UW$u?u{Wzgwu1)Bvx-up@23;1#S4qiQ$CVUUs2rA+^o1
z_C?h1f{2B2!QK+93}Di9eSb{s)gF=dFav=}SpS^L2Zqg&cnQL@FtiW&3|bjPmgA>H
z^%fKXSmWy{5Z+~$=OiCpIUFb*L#Q2N6PY-kM}JI?wU*pWt@M1}<O<AU{>EQP5PaDC
z7$w|;{zB7*(6;0>dN`vhC-ESD^~n@v9WMZynXUCv9y$#ky^&XRXHf;{w@`<`or-C0
zHNcm=3P@LyxV}h%=~XPr=RHsPu77mN{a&)fMsP1KW){JXHj>1jYTS%}!kGRN2eQ3y
zf<|=5zn*Z@g0RcH6t?CCl(^L(C`suh<jN~oz`)=Qp{hi~E=vPOY$5yFn*g~AB$mg^
zUNIU2;czsv%2G>uDuCrwMEU1k&4`)sG3;HMp?p2*cY#-UgoK?_^?256;R>=106ILt
zumIIqvg}(D`vi_S+|rp(({J_Qml|;e@)FO5bGZPmdIu>-fK{h^Ee3T=hZ+Q~<bE4=
zARGfm1}#8fw$7%^*Pn}j$|!Hr2S~8@Poku}-@KJ~jy#VY$bhoSI2iMYq((7QkoMIg
zn9iDB0GMnmYE9s5&qP1e9<&J?CR<nTldE@)M-&F9TDb-m?U0)-po9d!$6O!bD9mv8
zWFgXc1}{zklW%vBNs=$e7&y~+R&fAA;(bd9*BmmAXX99J*)VWDJr}=0gQ`Y=6IlM#
zAV9VuVjlw#vNQE=1~{QL#*>D%iUVH8GiGW}$ML=85cMQ?!BnA$kdwm>4A%Iels_wO
zw+gTeDM)LVuZ1SHi7f>|?Sodfep=}Srv=&v`Z@wQ$J}Y}9UL#n6|m&wvI0knf;-Bg
zXnI4<``jcyFQD1X&!FHh?oAlXk0%GZDir5xFMVq)%KY+o(!~1I@irf%$3l#PMK?2j
zi8cxJdl<k!)CqgkKQEy4Fg8Ycc#^SZSD0uie72+<@h}bH1@8GS(Y{UqaV3c0YncPj
z0nBV`ZMX%XGWZ2Q0BdaD8>`I~AHWmd=K2PP&OWjg>zEbOd+_&O^&PeX-09^GKjC-z
zhib!2VoCBbvhk!B9RNC8@#jhY`9e}W*@VEtkvE;wU~UC0?b`=*<@hZK@T#JSl%+Bc
z%a<{0)=cAiD$G4mFX-@%Th+Y%z9*ulD^BsrBj)Hq2de*vdE&}}vbeFl=UZTyTH-_y
zueC61k7na<UDK-$=()9mE9QPMtZT(BCDq7F3NDIGmShNr-Ueb#OJtoN7c=5#+5RC&
zhgpZS)E`{Gb%~%iqe1pSXcgfUv$hlggMs!zcC2gG6}1<-xq5TN-5L~EZR(PhR7|7$
zmkC?k0B3~;fTzj`56HrYg40y*cW00Mf0{#z4XN{XFOG@co?W$}Rg&qdpHjGlX_w?N
zIv*HOslYx`l6#a`l#s?bl)i)QVJ80O)Rz0kg$ZfMWq{#URCdc-1H^F|oyK@`q3lIl
zb$G9v81>)^tGS1g@G!}d_d`}+*7&xx{sill@QNv`04dbeiMThtNnY}o!D<n6%G8|I
z?uT831A%t9;X#UumrC%Hz(ejz-UhXP*7LF{VaAB{gu7WY9OGu4g<6YTEaOH)_=^jb
zB;bJvZkOiVMWQ0Q*Xz}1!ZlA5dITBuPwDYr2FVNOGU`xum3%5dJ%1(~F7{d*P)Sf`
z1)D%Gu?jZcq$R{3hupodv>;^g0$35Ef!_F;Yf_9AY`vXizBgh-0o2IQi3%BWp*2Oj
zAFvog6z0KaEljHJtN2ZoSP>d7Lu!@8m&po%XG4lH`=9r&MczZvTyn~@3Sgxc+uXBu
z6e33<PSmZ+>bP6#GaGcwfXwX>oa4Ycu~&jGE~w>IwBa@-&@>YOkK#%&{Sh$=-QTVW
z$`Fv^MO|L6Em#T-*^?}ouD3igO~4CIYv`zSJw)Tsn#5^ZN*#Jh;68fOMmkK82>tll
zm>;r=9%L^T9-!f(%IOT^Qn0qj`AkXPqB@GXDWGzUVWUI3rI}cVy9`iRZpQS|b~Z<s
zd>gU|bIwL<D37YL7-0tgWoGz6e<0+wLd+!GQ!*}~{X*d~hiEARKX%yt;Rka)#8~E+
zG9x|wc1T}XSBbaS{jiO&@;fx<-DK;T$B1t0nZLU8omA8mGvTE8OV007V^|au+q>tL
z|Dy=#c|NETf!2B_O;?F9gDkycX~S+>dD24FU6k@lY6)$+{zK3_s*bjP?Oc@nn|Yu%
zcQ$Pi_b3|l3%Qr=qA>Ru>`mq@hM+d-YmI!!C~9Owa?@m5jP?{``vv*{w@UAKM@D`y
z#DSu@(C=r7<$=(b|J11Eok*=479&bdPy<YGkI7|>o6A1^D6KO?J5}EYH1oDV>Ewc9
z1DW&A#oL~5?c(J8!MfChhwZ%M<bO@38Rvg1-Q@zt5Vj+xq&^}I*yUHZsBm(iIL}nC
ztUxgRTpc6sBAElnaQI+XKpadM<%FiV1LD3G90K+hRidU*=$}Lx6x8^_1Cri{^S;iW
zBW2a~yna$eEwG3WL?Ehvf?i|sYd<RnOPv$CKY69_&yqUgKpIf3+0fr6+yecK#l!5C
z<W9k4@6*r>eWcYnGyKwUeT@zH_$QQ8qiE(WLkrZXJ*Wa|42$fa=Ptv~m;Y~V;Etj8
zHb!iUoA$Nm!iJFObUfDUCC0*A!=jLDIu}~`28{na3kv<%9=L#?PURayuO<UotsGge
z7+IHXRu-}O?~@ScR&bcV-v;lZ<Bq7YSi}`A`c%=xJNU70KI(16`ZD-gphP&7Y5#zw
z4I?{QuHflJ5A=?5;1%Xao12f8sfuE6B`<S4g<HM}S6n&cD=dH;T9}Nw{)R6tRdGOC
zLP&3!nG*^ji02GPX?G$sD8r2<g~S&=frMc9QEZ~E8850>v|e@1Ij%AM!yqW$Sls1@
z9u)F2nuw)rvqhP{2igq_2Hlb?K@hv?#8}VhN&hCjHQHZnP#$+Fwz$0FWyIEjkHOx)
z7o%>Fc@Y7qd+~8^{eI)cV}wIex-Yd~Iz2`P?By~<w5}KV8lcKTK`JXhP6op@AiRsA
z*W(FPtzeuGRUiQ%5eJLnmB#*|3BD9eUwj&VDV=2KeKn++xa8h6r5z&ia*}~zRGyi;
zeiSz1<>kddL8{UHVuO<cC+7ljZ>%XAmG_>eL;8iJT@U`L3x-cV!ZkmLzE@B90jo_R
z=pE&)bfKRgBQLLwSR@DkJvXVkV^uB3@Dts~15dI+>LEFRY5zh!Bm<amlgRgF0p$a;
z%{$iv!2S&^wQ;{7MKe%CqT3|M?>vB?^fCurKggOyp?!+irKlpg;EPpu-v)>&!iA>Z
zwH@f{<se02LqF7<&jSAvwP)j5uHnAOeHPm;B-|30sfMAr5qr0zaJC@XLjOgW5<?wC
zZW}xe?#J6|Rl#p<3-mgB6Sxm^P$O3-Nh!wV#A=;I@dY-l$JN;@PmBTv+6M-(vmn5~
z@)RN`81rbgmlZ=;0E$&*y)S#mPdVlN={(y43YfFS$w+~BEjDah&&`hk7B?TY+oRjw
z=S|d$soG_-3&9wyK55n#G)x{7wyv*0d`Hs`NO!;rEFAdp<Vb8uyqdy{N5W7`DH_sy
znL9G9M)T?6zCMqrFH*_EJmF9Y?@x)8$#RXxfWM3xXc)L3hka=<81G}tEN;tbm~o%h
zoYpw6k#kEuT>0uqUqVKMJdaX~^-!r^TGHU`G2tDf5(}gs3^zSFyuCG4G`>x-7-|r@
z+hD}_$_)OsfSG7$xKUS+^j9H5Mi2lQkEWvWeJ2N>w{n$zIy1;ttl_GH=}kijn9dCy
zUW1v5)(Q4Xpt%(rUVOnNeO>8&g(9kV{EYrDe(PG{JtS2<-+78t?}H{epO59~yNYoc
zMXY43X!K;|N?NM7Pty)_bh^WKIEPi}7kRG&ViT?MLvQ60-GRyC9*`ccUUz{D_Ghww
zp}|HR&mS(rw!DSwFisPEt1(f4-AM*sucGMW%jCqRWi~*&rG!haMrBaZssdGL3f3C_
zs@s62HjnSzPTn)eN|JVqCN=uy1<b&Dn#dfY*L6KA*k_J&-$=Gu<9{(v0ICB*!8xBr
z?hm{nw}DQ$-hl*93kLcUgwUw?aYiw5>5Z_DoL9L^eEOTm?%R{Jw|ULKZwY0kEZs+V
z0v=5RHNt&_^HjA8qVKLTTKmQAE@Y5dL{}N~d+FJ}tN+*rA;Bld;+c_?mPaZJYkEqn
z_*8jc#c!n}gib;xCOSH>uS!-6rm)wX`(j^Zc&_pjtu9H=`<ig-9nC@HPp#4<M%m>*
zWoQbk)?>U<jeS#s2$7n0&;H|*sPD$WBk;D^z3Y)aHGQnuJ)1U+@%N6Rr2~)rp68<i
z8+Vq%o{$W#%FnTs!9~mXY1BiK{%3)tX>j!G%+M^>g!&=s62v`IegC3<r@<9AAubC=
znS5k_=Kl!;ba>*MKorHVM{AMvK@ond_Bjf)_#Z2pSN65i1B@Zb(5t-uSLalhhqYzj
zSf9gAC&p749?%l&C<rxK6uxYe*oLsBG-)VOSTdCSrYi>1i6?XQex^7f#|tI?as)aY
zhpr=Ci`>A48G6`}|AlH=j8hv~;t~5xjEn;RMOR!6#!DrkRW@1ai~q%9Myx<t=%CtM
z$IqYti`=lMZ9Cv@wRyKhMg9MRIA*JjRsM$ncL8MNVS+0@-Nuw-Wa;%V(lfgmlVy>S
zvB^UqRg+A9w2?z^!9^hI4CG|R8vI(Bn0Q5TKJovHcpxv=`3J1C?vkD6Qc<=&Vlztl
zzhIPD-|;@Mq%$%$T(;c_KQXZ|uKmNWUWMt(7T4fVGM1+{%0^7A*V>(E6<5rM_3COV
zwMwk^7Tl!{ElEKm+<g$>iq{WjGmlz;Vdyi%8<xp!U?F6!B##OSLDIsI-fv|ftU&69
zZMJiAdFWHA5Z+Ue(fFxUX!E~PA=0NKCT;(f3SmA~6LCCM6S@3XP4xeiA?Ec!XM8#G
z5!*Hfz$Q!zL}@4e5iRhBJrO}S_o0q8!QBUAjt(twnLQp+;J>RN+D+IMhbE*h4mYZN
zY0oyTwS5H#*y)MGKT^mmW8}gC`%nF%{5Xq*T<9}^ovt{%vi>3ZYgN^IfO_Lo0nTbQ
zOb=s{Y)j~J4#0;6g8K0TzI}jNnBhxW#3L5}_oEWH;P3@vQXb^d)_Ib10P`Ir=k`PD
zcR|p#rt%<n;7!R0s)NL1tA|);?d~$-XZsF8ag$zIS($y}t(MLs39;*oeE&VyuDY;R
zSG5e_Rg()tNw?k{<fZEi>S%Y6_`=VN%vBu@c!Y2>UCGl_qv%Ia6P4cFnsX9cwVI$~
zU(LCIm@){<7MY~zkgIQbB{rwdg+#_b)Wr}grmXR1+^_Az$N#WQMD1YX=AL3nNJ!kT
zo0WHBJ-bW9cReAh#{W@DC-3TZr4e{S*&{;kF!=3Akf|)fhhhkFbMLQ4d1ZFr*u6Ce
z$VabmUHz9W=wZT?J3QM%LSTK7^T_2^TFJR}clpJy#QWc&p_`oMqR_(6GK!aP_eLKD
zLE^a&h`K~0pSrLrl?>0qO1Uhro~v#9C-)`Q-1bz{kx=dPrVcadws3pstHIB?R>f*8
zgCtn6+ljLNy-M>&+@#fQT{o(lh?69YXRNmw_YR>@atv^QuTl!4k@l<EV&_VZ0F)Wf
zcNIVw8WNQ0OeaatOk|5&`OcP_|Jl|+I$4MxN0FPTNW-o`qP^qj=&s*`KDk%@cwSnO
z3EfsdEwlC7tABt0P1M#o|NC_KRj2!n0Y%-sA0*e=d!LR|X``my%t-CBfgvqte9~}r
z&)5K}f}B_VD=A%jREW3|yyUR~2|QVT>-{j;B*#peggx3vldq-KShQ{C;_OGd&Q(a{
z>g`;|Aj-{Tt7u#At~rE1q5ZggwM5R#W9d&3=W&aPh~8cJB0lK2RW)EO+l~*A9u@7n
zsy){t)cX7OWlJ_?RHM-81v|wvk>79EGt6pYfR8k^{E!{#9?~DF{E$>d5aq1&mZnbK
zosw4e#}T&##QLAvA~cw?cCy8avNJS0^%uB6-;1>0-PcbE`-fTT2pzI0d~Vs*IPJ4}
zZPW`t-x$JWmhCo%aU-339>Zw3Q#7znO@bUSD$NgCpCg6J?68gSOg8{i34_CeGV>W^
zpc|3rSIqE{${RMiuPqj7u6G96VtEMcx%%7*)Tf&%z$byqA+VB}?a0%*Yk07EuGN<a
zc%ZLebNkRu18<JE2;kkyPezo60&l}^SZr^BU(2ZQ0oFx{z?I<JpV9JqA33S2d$vRJ
zYd9%xfrS0nz>)m6soy8Gf)D3)XHro1#j4M#zx1IerIb%(#fiYYMcqylvTL|Y&FNT!
z3S@o+J4^>c(AwQ%R-*)Rim?BBn6%TMH~Wia`#PyIH%g1@@5I8>n<=fGXc1$rgv<VT
zAE||h%pG){SZMX#^gDCDg3cMRAg|?hB2J_QsQg^-F*>WpzI_YRgw|YQ+y-Zv_^3hA
z=nJ0=Rnf>9<_Ga8nb#`2&EG#T5<g}8j?^s2cWmZB>i3k-1ZX486|z|`ph}=rH^_0P
z-R1u<POva?$&(JY>1C}Wob@@oV5dqKg9y-H?|<FagqD<qtv96CQ0*)(Q)Gir$Ryua
z4%XLnr~P@u@7u!PUZ?svNV3GwLJ_;M`UZz!ZYfdj7N?XV_jh+Yu)Mu0=IYYCd>k8u
zbCvQ{=R$FGTYaoANC=|So#XN3TPg2d@93N_14ImNuYPDh5>Cvn=j8U7B}6Uy#F6tP
zRLEikR^E>SndlHx0QwLhQj9#%G9J+-hY|n6HT%jIkoW<5PKhtcGYDQULX*b=jr;Hc
zhN$6Qaah!Ew}ejq?<7J6xQcRmWir75rW;$JW805svy)H&j5SLXPP&{d%6}mR*i2E$
zMNo{ni#e4aKL>O*47st9-mt?d1$*j&7?FY7o|+4lW3r|b=R5CI=Iqe|^=v@7i(xyF
zYh;oy*x*Sk?Yp+7!lbK$SVWj3+<?uw1Pegq)BiP)`RP0R|HRIzng~Sssfa(2Yw)3>
zrXE8|G8l^X%Kb%rzD3|O3Jm&PGU^X-0FE%0{3Q4Pf#L$ZA_$%f0|hN*E<ce16l7GT
KYo$H~|9=24x{Qwi

literal 0
HcmV?d00001

diff --git a/single-sign-on/index.md b/single-sign-on/index.md
index 8d652f6bbe..518a27dc7d 100644
--- a/single-sign-on/index.md
+++ b/single-sign-on/index.md
@@ -5,24 +5,24 @@ title: Configure Single Sign-on
 ---
 This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs)  to access Docker. Docker currently supports SAML 2.0 and Azure AD IdPs through Auth0. You can enable SSO on organization's that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}.
 
-When SSO is enabled, users are redirected to your provider’s authentication page to authenticate using SSO. They cannot authenticate using their personal login credentials (Docker ID and password).
+When SSO is enabled, users are redirected to your provider’s authentication page to authenticate using SSO. They cannot authenticate using their personal login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign into Docker Hub or Docker Desktop to initiate the SSO authentication process.
 
 Before enabling SSO in Docker Hub, administrators must work with their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
 
 After establishing the connection between the IdP server and Docker Hub, administrators log into the organization in Docker Hub and complete the SSO enablement process. See the section **Enable SSO in Docker Hub** for detailed instructions.
 
-To enable SSO in Docker Hub, you need the following:
+To enable SSO in Docker Hub, you need the following information from your identity provider:
 
-* **SAML 2.0**: Entity ID, ACS URL, Single Logout URL and Certificate Download URL
+* **SAML 2.0**: Single Sign-On URL and the X.509 signing certificate
 * **Azure AD**: Client ID (a unique identifier for your registered AD application), Client Secret (a string used to gain access to your registered Azure AD application), and AD Domain details
 
-We currently support enabling SSO on a single organization. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests.
+We currently support enabling SSO on a single organization. However, we do not support single logout. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests.
 
 ## Prerequisites
 
 * You must first notify your company about the new SSO login procedures
 * Verify that your org members have Docker Desktop version 4.4.2 installed on their machines
-* New members must create a Personal Access Token (PAT) to log into the CLI; however, existing users can use their username and password as specified below
+* New org members must create a PAT to log into the CLI, however existing users can currently use their username and password during the grace period as specified below
 * Confirm that all CI/CD pipelines have replaced their passwords with PATs
 * For your service accounts, add your additional domains or enable it in your IdP
 * Test SSO using your domain email address and IdP password to successfully log in and log out of Docker Hub
@@ -36,6 +36,10 @@ In addition, all email addresses should be added to your IdP.
 
 To configure SSO, log into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} to obtain the **ACS URL** and **Entity IDs** to complete the IdP server configuration process. You can only configure SSO with a single IdP.  When this is complete, log back into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} and complete the SSO enablement process.
 
+> **Note:**
+>
+> IdP initiated connections are not supported at this time
+
 The following video walks you through the process of configuring SSO.
 
 <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/QY0j02ggf64" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
@@ -55,13 +59,18 @@ The following video walks you through the process of configuring SSO.
 5. Log into your IdP to complete the IdP server configuration process. Refer to your IdP documentation for detailed instructions.
 
     > **Note:**
+    >
     > the NameID is your email address and is set as the default.
-    > For example, <Subject><NameID>yourname@mycompany.com</NameID>.
+    > For example, <Subject><NameID>yourname@mycompany.com</NameID>. We also support the optional `name` attribute. This attribute name must be lower-cased. _The following is an example of this attribute in Okta._
+
+    ![SSO Attribute](images/sso-attribute.png){:width="500px"}
 
 6. Complete the fields in the **Configuration Settings** section and click **Save**. If you want to change your IdP, you must delete your existing provider and configure SSO with your new IdP.
 
     ![SSO SAML3](images/sso-saml3.png){:width="500px"}
 
+7. Proceed to **add your domain** before you test and enforce SSO.
+
 ### Azure AD IdP configuration
 
 1. Log into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator and navigate to **Organizations** and select the organization that you want to enable SSO on.
@@ -84,9 +93,11 @@ The following video walks you through the process of configuring SSO.
 
     ![SSO Azure3](images/sso-azure3.png){:width="500px"}
 
+7. Proceed to **add your domain** before you test and enforce SSO.
+
 ### Domain control
 
-Click **Add Domain** and specify the corporate domain you’d like to manage with SSO. Domains should be formatted without protocol or www information, for example, yourcompany.com.
+Click **Add Domain** and specify the corporate domain you’d like to manage with SSO. Domains should be formatted without protocol or www information, for example, yourcompany.com. Docker currently supports one email domain for each organization.
 
 > **Note**
 >